Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Protection from a known hacker

Author
Message
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 4th Oct 2004 09:06 Edited at: 4th Oct 2004 09:21
Link
Ok, I know a lot of noobs come here convinced they have been hacked, but I'm not a noob. I'd just like some advice.

About 4 days ago I was having a problem with AOL. I sign on for 1 minute and then get disconnected with an error message saying my connection has been interrupted. Unusual yes, but given AOL's crappiness I shrugged it off. After two days of the nonsense I decided it was too much (especially since my parents were using AOL on a different computer and different screen name with out any problems). So I closed all ports with my firewall (Windows XP SP2 ICF) and the problem disapeared.

Now today, I decide to check my Earthlink email and see I have a message from my AOL account sent the night I was having all my problems. Contained in the email is an attachment of .zip with the "llddk.exe+" file inside. The email also contained some gibberish at the bottom: "Pass: 06314"
=/

I KNOW I didn't send that. I searched my comp for trojans using NAV and got nothing. I don't how to get rid of this. Help?

-Edit - Forgot another thing. Several times when I've been signed online at school I get bumped off. The error says my screenname has signed on at another location.


Back to top
Profile PM Email
Lynx
20
Years of Service
User Offline
Joined: 28th Jan 2004
Location: IRC chat
Posted: 4th Oct 2004 09:10
Link
Get rid of AOL...

You never know what's in your closet until you take a look.
Back to top
Profile PM Email
CattleRustler
Retired Moderator
21
Years of Service
User Offline
Joined: 8th Aug 2003
Location: case modding at overclock.net
Posted: 4th Oct 2004 09:29
Link
someone has your aol account info
change your password
notify aol


DBP_NETLIB_v1.4.3 DarkTOPIA site coming soon!
Back to top
Profile PM
Ian T
22
Years of Service
User Offline
Joined: 12th Sep 2002
Location: Around
Posted: 4th Oct 2004 09:44
Link
Your problem can be summed up in two (four) words: AOL sucks. Not only is their software crappy user-side, but it is about the easiest database to hack into that exists on their end.

Of course, if either computer has a simple trojan, it easily could have sent that email without any hacking existing. There are many possibilities, all of which can be solved with a good spyware scan and a better ISP.


"Did you just call my girlfriend a cow?"
Back to top
Profile PM
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 4th Oct 2004 09:51
Link
Thanks for responses everyone. As soon I can get in touch with my Dad, the master account holder, and let him know I'll change my password right away.

I have done full system scans with NAV, Spybot, and Adaware and they didn't pick up anything.

One more thing - several of my account settings have changed, those that control what I have access to.

I only use AOL 50% of the time and I don't have to pay for it which is always nice. The other 50% of the time I use my cable (yay)


Back to top
Profile PM Email
Ilya
21
Years of Service
User Offline
Joined: 10th Aug 2003
Location:
Posted: 4th Oct 2004 10:36
Link
Do you have Adelphia?
Use cable all the time.
GayOL sucks.

Back to top
Profile PM Email Website
Ian T
22
Years of Service
User Offline
Joined: 12th Sep 2002
Location: Around
Posted: 4th Oct 2004 10:44
Link
I recommend Verizon. We switched to them from Earthlink... 100% uptime now, and half again as fast broadband for a reduced cost. The customer support is worlds better. Very nice.


"Did you just call my girlfriend a cow?"
Back to top
Profile PM
Indian Homie G
20
Years of Service
User Offline
Joined: 23rd Jan 2004
Location: San Jose, CA
Posted: 4th Oct 2004 10:59
Link
Quote: "Location: 127.0.0.1 "


If that's your real IP, it can't be any good to be advertising it to everyone.

AMD Athlon XP 3000+, S3 Deltachrome s8, 512 PC3200 RAM, 160 GB HD
Back to top
Profile PM Email
FoxBlitzz
20
Years of Service
User Offline
Joined: 19th Nov 2003
Location: United States
Posted: 4th Oct 2004 11:05
Link
Quote: "I only use AOL 50% of the time and I don't have to pay for it which is always nice."


Um... free versions of AOL steal your password.

HP Pavilion | Intel Pentium 4 CPU 2.40 GHz
512 MB Ram | NVIDIA GeForceFX 5600 AGP, with 256 MB Ram
Back to top
Profile PM Email
Programmer Xtreme
20
Years of Service
User Offline
Joined: 20th Aug 2004
Location: Wack House
Posted: 4th Oct 2004 11:16
Link
So....YOU WERE th guy I stole connection from...Really.

Programmers United-Programming for programmers
http://www.programmersunited.com/IM.gif - go there to see my sig.
Back to top
Profile PM Email Website
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 4th Oct 2004 11:20
Link
Location: 127.0.0.1

that's localhost indian, sheesh

I don't like you.
Back to top
Profile PM Email Website
Ilya
21
Years of Service
User Offline
Joined: 10th Aug 2003
Location:
Posted: 4th Oct 2004 11:21
Link
Quote: "your real IP"

How can 127.0.0.1 be your real IP?!
127.0.0.1 is your computer's IP. It's always 127.0.0.1 for everybody.

Back to top
Profile PM Email Website
Ian T
22
Years of Service
User Offline
Joined: 12th Sep 2002
Location: Around
Posted: 4th Oct 2004 11:34
Link



"Did you just call my girlfriend a cow?"
Back to top
Profile PM
CattleRustler
Retired Moderator
21
Years of Service
User Offline
Joined: 8th Aug 2003
Location: case modding at overclock.net
Posted: 4th Oct 2004 12:52
Link
lol, 127.0.0.1 is called "local loopback" and is the ip assigned to systems main virtual adapter.


DBP_NETLIB_v1.4.3 DarkTOPIA site coming soon!
Back to top
Profile PM
Mnemonix
21
Years of Service
User Offline
Joined: 2nd Dec 2002
Location: Skaro
Posted: 5th Oct 2004 19:11
Link
to hax0r my computer, type 127.0.0.1 into your address bar.

The 3d chat is coming...
In the meantime, come in the IRC. Ask me for details!!.
Back to top
Profile PM Email Website
Torrey
20
Years of Service
User Offline
Joined: 20th Aug 2004
Location: New Jersey
Posted: 5th Oct 2004 19:28
Link
Almost sounds like your computer has a irc bot on it. If you're using a firewall the only way in would be to have the computer establish an outside connection, and that way is typically irc bots with hackers. With those bots the creator can upload any kind of virus, backdoor, keylogger or anything they'd like to your computer. Even if you report that problem to AOL, it'll still come back to haunt you. One thing you can do to see if it's a bot is, go to the command prompt and type netstat -a that will give you a list of active connections on your system. If you see an irc server then you know it's a bot, but it possible that some coders that produce these bots to hide the connection from the netstat list, and the running processes list. Let us know what you find.
Back to top
Profile PM Email
Torrey
20
Years of Service
User Offline
Joined: 20th Aug 2004
Location: New Jersey
Posted: 5th Oct 2004 19:34
Link
@konrad

If you would, and still have that file you mentioned that was sent out. Email it to me: blackgate@blackgate.us

I work with anti-virus companies and virus writers themselves each day, and I can analyze that file for you.
Back to top
Profile PM Email
Ilya
21
Years of Service
User Offline
Joined: 10th Aug 2003
Location:
Posted: 6th Oct 2004 06:13
Link
Does any antivirus keep the autoexe.bat file blank?

Back to top
Profile PM Email Website
OSX Using Happy Dude
21
Years of Service
User Offline
Joined: 21st Aug 2003
Location: At home
Posted: 6th Oct 2004 06:51
Link
No, but it will be blank in XP as its not used.


Come to the UK Convention on the 23rd & 24th of October
Back to top
Profile PM Email Website
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 6th Oct 2004 07:16 Edited at: 6th Oct 2004 07:21
Link
@Torrey - Yes, netstat was one of the reasons I thought I was be connected to. I noticed I had six connections as when usually there are only two through dialup. Thanks, I think I deleted the email in entirety, but I'll check. If it's still there, then I'll forward it.

Edit - Ok, I did have the email and I forwarded it to you guys. Thanks a lot, really. I didn't change anything about the email. The subject line reads



Back to top
Profile PM Email
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 6th Oct 2004 07:21
Link
Quote: ""I only use AOL 50% of the time and I don't have to pay for it which is always nice.""


I meant my parents pay for it

And thanks for clearing up the 127.0.0.1 controversy


Back to top
Profile PM Email
Ilya
21
Years of Service
User Offline
Joined: 10th Aug 2003
Location:
Posted: 6th Oct 2004 07:52
Link
Tell them to stop. AOL doesn't deserve your money.

Back to top
Profile PM Email Website
Torrey
20
Years of Service
User Offline
Joined: 20th Aug 2004
Location: New Jersey
Posted: 6th Oct 2004 14:20 Edited at: 6th Oct 2004 14:20
Link
The virus inside that file is Bagle.H.
Quote: "W32.Beagle.H@mm is a mass-mailing worm that opens a backdoor on TCP port 2745 and uses its own SMTP engine to spread through email. It also sends the attacker the port on which the backdoor listens, as well as the IP address. The email attachment is a randomly named .exe file inside a .zip file. The embedded .exe file is password-protected with a random password."


Since you didn't use a firewall before, I'm thinking that your computer reported back to one of those web servers to tell the creator which ip and port was open on your computer to access the backdoor. The hacker that entered your computer probably installed other backdoor features to grab information off your machine so in the case you discover the virus and remove it, the backdoor remains there. Once you visit the link below and check out the various places to remove the virus's remains check for other strange things too. For example in the registry under the key, HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun the other backdoor the hacker installed could be in there. He uses that key in the registry to start his backdoor or server each time the computer starts. Be sure to check the Startup folder in the start menu, sometimes this can contain hidden files that are also started when windows starts.

More detailed information and removal instructions can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.h@mm.html
Back to top
Profile PM Email
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 7th Oct 2004 07:27
Link
Thanks man, really thanks a lot. I had already cleaned two worms I found in C:\Recycler\, but now I'll go back and take another look. Thanks again


Back to top
Profile PM Email
JoelJ
21
Years of Service
User Offline
Joined: 8th Sep 2003
Location: UTAH
Posted: 7th Oct 2004 07:57
Link
Quote: "notify aol"

BAHHAHAHAHAHAHAHAHAHAHAHAAHAHH
sorry...

Absent.
Back to top
Profile PM Website
Sparda
20
Years of Service
User Offline
Joined: 13th Jan 2004
Location: Pacifica
Posted: 7th Oct 2004 08:39
Link
Scanned the computer with the BeagleFix tool and passed <yay> Yep, I'm guessing that's what I had. I read the whole documentation on the virus and it says it searchs for certain types of files on the computer for email addresses and then emails the virus there. That explains how they knew my earthlink address

Again thanks to everyone (especially Torrey) for their help.

The rest of you, thanks for laughing at my plight


Back to top
Profile PM Email
Phaelax
DBPro Master
21
Years of Service
User Offline
Joined: 16th Apr 2003
Location: Metropia
Posted: 7th Oct 2004 08:47
Link
I used to keep trojans installed in hopes some newbie "hackers" would try my machine. For the more popular backdoor programs like sub7 and netbus, there were others that would trapped attackers and send funny messages back to them. It was quite amusing sometimes.

"eureka" - Archimedes
Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2024-09-22 18:38:23
Your offset time is: 2024-09-22 18:38:23